If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Some TP-Link Archer routers have major vulnerability - patched firmware at the link below.

TP-Link patched a critical vulnerability impacting some of its Archer routers that could allow potential attackers to void their admin passwords and remotely take control of the devices over LAN via a Telnet connection.
"If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN)," found IBM X-Force Red's Grzegorz Wypych.
To exploit this security flaw, attackers have to send an HTTP request containing a character string longer than the allowed number of bytes, with the result being that the user password is completely voided and replaced with an empty value.
This works despite built-in validation because it only checks the referrer’s HTTP headers, allowing the attacker to trick the router’s httpd service to recognize the request as valid by using the hardcoded tplinkwifi.net value.

Since the only type of users on these routers is admin with full root permissions, once the threat actors bypass the authentication process, they would automatically get admin privileges on the router.
From here on, "all processes are run by the user under this access level, which can allow an attacker to operate as admin and take over the device."
"Not only can attackers attain privileged access, but the legitimate user can also be locked out and would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords (unbeknownst to the user)," Wypych adds.
"In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password."

To make things even worse, even if the router owner would set a new password on the device, attackers could again void it with another LAN/WAN/CGI request leaving the USB connections to the built-in FTP server as the only way to access it.
Furthermore, RSA encryption keys would automatically fail too since they won't work with empty passwords.
"This flaw is considered critical since it can grant an unauthorized third-party access to the router with admin privileges, which are the default on this device for all users, without proper authentication taking place," Wypych explains.
"The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics."

Security patches available

TP-Link has already released patches to help customers protect their routers against attacks that would abuse the security vulnerability currently tracked as CVE-2019-7405.

WASHINGTON — It is billed as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype.
But the service, ToTok, is actually a spying tool, according to U.S. officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the U.S. last week, according to app rankings and App Annie, a research firm.

ToTok amounts to the latest escalation in a digital arms race among wealthy authoritarian governments, interviews with current and former U.S. foreign officials and a forensic investigation showed. The governments are pursuing more effective and convenient methods to spy on foreign adversaries, criminal and terrorist networks, journalists and critics — efforts that have ensnared people all over the world in their surveillance nets.
Persian Gulf nations like Saudi Arabia, the Emirates and Qatar previously turned to private firms — including Israeli and U.S. contractors — to hack rivals and, increasingly, their own citizens. The development of ToTok, experts said, showed that the governments can cut out the intermediary to spy directly on their targets, who voluntarily, if unwittingly, hand over their information.

A technical analysis and interviews with computer security experts showed that the firm behind ToTok, Breej Holding, is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work. DarkMatter is under FBI investigation, according to former employees and law enforcement officials, for possible cybercrimes. The U.S. intelligence assessment and the technical analysis also linked ToTok to Pax AI, an Abu Dhabi-based data mining firm that appears to be tied to DarkMatter.
Pax AI’s headquarters operate from the same Abu Dhabi building as the Emirates’ signals intelligence agency, which until recently was where DarkMatter was based.
The UAE is one of America’s closest allies in the Middle East, seen by the Trump administration as a bulwark against Iran and a close counterterrorism partner. Its ruling family promotes the country as an example of a modern, moderate Arab nation, but it has also been at the forefront of using surveillance technology to crack down on internal dissent — including hacking Western journalists, emptying the banking accounts of critics, and holding human rights activists in prolonged solitary confinement over Facebook posts.

The government blocks specific functions of apps like WhatsApp and Skype, a reality that has made ToTok particularly appealing in the country. Huawei, the Chinese telecom giant, recently promoted ToTok in advertisements.

Spokesmen for the CIA and the Emirati government declined to comment. Calls to a phone number for Breej Holding rang unanswered, and Pax employees did not respond to emails and messages. An FBI spokeswoman said that “while the FBI does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.”

When The Times initially contacted Apple and Google representatives with questions about ToTok’s connection to the Emirati government, they said they would investigate. On Thursday, Google removed the app from its Play store after determining ToTok violated unspecified policies. Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said. ToTok users who already downloaded the app will still be able to use it until they remove it from their phones.

It was unclear when U.S. intelligence services first determined that ToTok was a tool of Emirati intelligence, but one person familiar with the assessment said that U.S. officials have warned some allies about its dangers. It is not clear whether U.S. officials have confronted their counterparts in the Emirati government about the app. One digital security expert in the Middle East, speaking on the condition of anonymity to discuss powerful hacking tools, said that senior Emirati officials told him that ToTok was indeed an app developed to track its users in the Emirates and beyond.
ToTok appears to have been relatively easy to develop, according to a forensic analysis performed for The Times by Patrick Wardle, a former NSA hacker who works as a private security researcher. It appears to be a copy of a Chinese messaging app offering free video calls, YeeCall, slightly customized for English and Arabic audiences.

ToTok is a cleverly designed tool for mass surveillance, according to the technical analysis and interviews, in that it functions much like the myriad other Apple and Android apps that track users’ location and contacts.
On the surface, ToTok tracks users’ location by offering an accurate weather forecast. It hunts for new contacts any time a user opens the app, under the pretense that it is helping connect with their friends, much like how Instagram flags Facebook friends. It has access to users’ microphones, cameras, calendar and other phone data. Even its name is an apparent play on the popular Chinese app TikTok.
Though billed as “fast and secure,” ToTok makes no claim of end-to-end encryption, like WhatsApp, Signal or Skype. The only hint that the app discloses user data is buried in the privacy policy: “We may share your personal data with group companies.”
So instead of paying hackers to gain access to a target’s phone — the going rate is up to $2.5 million for a hacking tool that can remotely access Android phones, according to recent price lists — ToTok gave the Emirati government a way to persuade millions of users to hand over their most personal information for free.
“There is a beauty in this approach,” said Wardle, now a security researcher at Jamf, a software company. “You don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?”
In an intelligence-gathering operation, Wardle said, ToTok would be Phase 1. Much like the NSA’s bulk metadata collection program — which was quietly shut down this year — ToTok allows intelligence analysts to analyze users’ calls and contacts in search of patterns, though its collection is far more invasive. It is unclear whether ToTok allows the Emiratis to record video or audio calls of its users.

Each day, billions of people freely forgo privacy for the convenience of using apps on their phones. The Privacy Project by the Times’ Opinion section published an investigation last week revealing how app makers and third parties track the minute-by-minute movements of mobile phone users.
Private companies collected that data for targeted marketing. In ToTok’s case — according to current and former officials and digital crumbs the developers left behind — much of the information is funneled to intelligence analysts working on behalf of the Emirati state.
In recent months, semiofficial state publications began promoting ToTok as the free app long sought by Emiratis. This month, users of a messaging service in the Emirates requiring paid subscriptions, Botim, received an alert telling users to switch to ToTok — which it called a “free, fast and secure” messaging app. Accompanying the message was a link to install it.
The marketing seems to have paid off.

In reviews, Emiratis expressed gratitude to ToTok’s developers for finally bringing them a free messaging app. “Blessings! Your app is the best App so far that has enable me and my family to stay connected!!!” one wrote. “Kudos,” another wrote. “Finally, an app that works in the UAE!”
ToTok’s popularity extended beyond the Emirates. According to recent Google Play rankings, it was among the top 50 free apps in Saudi Arabia, Britain, India, Sweden and other countries. Some analysts said it was particularly popular in the Middle East because — at least on the surface — it was unaffiliated with a large, powerful nation.
Though the app is a tool for the Emirati government, the exact relationship between the firms behind it is murky. Pax employees are made up of European, Asian and Emirati data scientists, and the company is run by Andrew Jackson, an Irish data scientist who previously worked at Palantir, a Silicon Valley firm that works with the Pentagon and U.S. spy agencies.
Its affiliate company, DarkMatter, is in effect an arm of the Emirati government. Its operations have included hacking government ministries in Iran, Qatar and Turkey; executives of FIFA, the world soccer organization; journalists and dissidents.
Last month, the Emirati government announced that DarkMatter would combine with two dozen other companies to create a defense conglomerate focused on repelling cyberattacks.

The FBI is investigating American employees of DarkMatter for possible cybercrimes, according to people familiar with the investigation. The inquiry intensified after former NSA hackers working for the company grew concerned about its activities and contacted the bureau. Reuters first reported the program they worked on, Project Raven.

At Pax, data scientists openly brag about their work on LinkedIn. One who listed his title as “data science team lead” said he had created a “message intelligence platform” that reads billions of messages to answer four questions: “who you are, what you do, how do you think, and what is your relationship with others.”
“With the answers to these four questions, we know everything about one person,” wrote the data scientist, Jingyan Wang.
Other Pax employees describe their experience creating tools that can search government data sets for faces from billions of video feeds and pinpoint Arabic dialects from transcribed video messages.
None mention an affiliation with ToTok.
This article originally appeared in The New York Times.

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.
The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said.

Microsoft has published a security advisory today about an Internet Explorer (IE) vulnerability that is currently being exploited in the wild -- a so-called zero-day.

The company's security advisory (ADV200001) currently only includes workarounds and mitigations that can be applied in order to safeguard vulnerable systems from attacks.
At the time of writing, there is no patch for this issue. Microsoft said it was working on a fix, to be released at a later date.
While Microsoft said it was aware that the IE zero-day was being exploited in the wild, the company described these as "limited targeted attacks," suggesting the zero-day was not broadly exploited, but rather that it was part of attacks aimed at a small number of users.
These limited IE zero-day attacks are believed to be part of a larger hacking campaign, which also involves attacks against Firefox users.

Last week, Mozilla patched a similar zero-day that was being exploited to attack Firefox users. Mozilla credited Qihoo 360 for discovering and reporting the Firefox zero-day.
In a now-deleted tweet, the Chinese cyber-security firm said the attackers were also exploiting an Internet Explorer zero-day. This appears to be the zero-day that Qihoo 360 researchers mentioned at the time.
No information has been shared about the attacker or the nature of the attacks. Qihoo 360 did not return a request for comment seeking information about the attacks.

At the technical level, Microsoft described this IE zero-day as a remote code execution (RCE) flaw caused by a memory corruption bug in IE's scripting engine -- the browser component that handles JavaScript code.
Below is Microsoft's technical description of this zero-day:A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
All supported Windows desktop and Server OS versions are impacted, Microsoft said.
This IE RCE zero-day does not have a CVE identifier assigned at the moment.
Microsoft patched two similar IE zero-days in September and November 2019. Although IE is not the default browser in the latest Windows OS versions anymore, the browser is still installed with the OS. Users on older Windows releases are the ones primarily at risk.

Clever Android Virus Keeps Coming Back Even After a Full Reset
xHelper is an Android malware infection that has been around for a while, with security vendor Malwarebytes first detecting it in May 2019.Since then, the majority of Android security apps added xHelper detection, which means that most devices should already be protected against this form of malware.
But as it turns out, cleaning a device is much harder than we think, as xHelper keeps coming back even after a full reset.
How is this possible? Malwabytes says xHelper is not based on pre-installed malware bundled with the firmware, but uses Google Play, which keeps serving the infection after a full device reset or a successful clean with an antivirus.
“Google Play was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else,” Malwarebytes explains in a new analysis of the malware.
Disabling Google Play
The security vendor details the case of a customer whose device was infected with xHelper. Following a closer inspection of the files stored on the compromised Android phone, it was discovered that a Trojan dropper was embedded into an APK located in a directory called com.mufc.umbtts.
The worse part is that researchers still don’t know how Google Play is used to trigger the infection.
“Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google Play. The “how” behind this is still unknown,” the Malwarebytes researchers explain.
To clean the infection, users first need to disable the Google Play store and only then run a device scan with an antivirus. Otherwise, the malware will keep coming back, despite the virus apparently getting removed.

Sure it does if you use another DNS provider than google because then they can not link your DNS requests to your recent google search.
They want to see which of the presented google results you did choose to visit.

Sure it does if you use another DNS provider than google because then they can not link your DNS requests to your recent google search.
They want to see which of the presented google results you did choose to visit.

If you have a Netgear Router, check if it's on the list and, if so, update it.

Netgear this week has pushed out a passel of patches for its home networking gear, covering seven modem-router gateways, one range extender and 40-odd routers, including some Nighthawk models and Orbi mesh routers and satellites.
A full list of the affected models is at the end of this story.
The worst of the flaws lets hackers remotely install malware on the Nighthawk X4S gaming router, model R7800. That could lead to the entire Wi-Fi network and all web traffic that runs through it being compromised. Netgear gives that vulnerability a severity score of 9.4/10, which qualifies as "critical."Almost as bad is a "pre-authentication command injection security vulnerability" on five models, which could also lead to total network takeover. That affects router models R6400v2, R6700, R6700v3, R6900 and R7900. It gets a "high" severity rating of 8.3/10.

Moderately dangerous is an "authentication bypass security vulnerability" on 11 routers and gateways and one range extender. Netgear's description of the flaw is pretty vague, but given the 6.8/10, "medium" severity score, it implies that an outside attacker could gain unauthorized access to your home Wi-Fi network.
That may be a danger to other devices connected to the network, but probably not to the router itself. This flaw affects the D6200 and D7000 modem-routers, the PR2000 Wi-Fi range extender and the R6050, JR6150, R6120, R6220, R6230, R6260, R6700v2, R6800 and R6900v2 routers.
About 20 flaws involve "stored cross-site scripting," which may mean that someone could add unauthorized commands to the router's administrative interface, provided they have the administrative passwords in the first place. We're just guessing here, as Netgear isn't providing details.
But Netgear has given all these "medium" severity scores of 6/10. There are too many routers affected to list in this paragraph. Suffice it to say if your model appears in the table below, but not in the lists of the more severe flaws above, then it's got one of these cross-site scripting flaws.Which Netgear router do I have?

Now comes the fun part. Netgear does a terrible job of communicating to its customers exactly what each router's model number actually is. Netgear barely uses the actual model numbers in its consumer marketing and packaging, which doesn't help when its customers have to scramble to figure out whether their model needs a security update.
For example, the R8000P, one of the models that currently has a cross-site-scripting flaw, is marketed as the "AC4000 Nighthawk X6S Tri-Band WiFi Router with MU-MIMO."
On the Netgear website page for that model, you have to squint to find the model number, or notice that the number is part of the page's URL. Likewise, our own Netgear Nighthawk X6S review doesn't mention the actual R8000P model name.
To make sure which Netgear model you have, turn the device over and look at the sticker on the bottom. The model number should be in the upper left, printed underneath the "NETGEAR" logo.How to update your Netgear router's firmware

Unfortunately, the update procedures differ among the various models. The Orbis and some of the newer Nighthawks can be patched via their companion smartphone apps. Older models may need to be patched manually by downloading a compressed file to a PC or Mac, then connecting the router or modem-router to the computer.
Easiest:
If your router does have a companion smartphone Netgear app, then please do poke around in that and find out where to update the router's firmware.
Somewhat less easy:
You can also pop open a web browser on a laptop or PC when you're connected to your home Wi-Fi network and type in "www.routerlogin.net" or "192.168.1.1". That should take you to the local administration interface for the router.
Type in your administrative username and password -- let's hope you didn't leave them on the factory defaults -- then find the Advanced tab, select Administration and then Router Update. Click "Check" and the router will check for an update, after which you can follow the instructions to install it.
Pain in the butt, but you gotta do it if nothing else works:
Alternately, all Netgear customers can go to the Netgear support website, go through a few steps to narrow down the selection to their model, see if there's firmware available, download it to your PC and then, well, find the online user manual for instructions on how to install the firmware.
We wish this was an easier process. Router updates are one of the most critical things you can do to keep your computers, smartphones, gaming consoles, smart-home devices and personal information safe. Someday all router makers will understand that.All Netgear home networking devices that need to install the March 2020 firmware updates

Well this is a bitch. Unless you have behavioural antivirus, (well, even if you've got it tbh):

- Don't click on links or attachments unless you are 110% certain you know what they are.
- If you have the latest Windows 10, use Controlled Folder Access (it's not 100% protection but it might help). Link HERE
- BACKUP YOUR CRITICAL DATA

One that affects all you cheapskates and luddites using out-of-support OS's.

Microsoft is warning of critical zero-day flaws in its Windows operating system that could enable remote code execution. The unpatched flaws are being exploited by attackers in “limited, targeted” attacks, the company said.According to Microsoft, two remote code execution vulnerabilities exist in the way that Windows’ Adobe Type Manager Library handles certain fonts. Adobe Type Manager is a font management tool built into both Mac OS and Windows operating systems, and produced by Adobe. While no patches are available for the flaws, workaround mitigations can protect users.“Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” according to a Monday Microsoft security advisory.

WASHINGTON/SAN FRANCISCO (Reuters) - Apple Inc is planning to fix a flaw that a security firm said may have left more than half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.
Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018. He could not determine who the hackers were and Reuters was unable to independently verify his claim.
To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details.
ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.
Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access. Apple declined to comment on that prospect.

ZecOps found the Mail app hacking technique was used against a client last year. Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.
Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.
Two independent security researchers who reviewed ZecOps’ discovery found the evidence credible, but said they had not yet fully recreated its findings.
Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”
Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.

While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against the iPhone could affect millions due to the device’s global popularity. In 2019, Apple said there were about 900 million iPhones in active use.
Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery “scary.”
“A lot of times, you can take comfort from the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”

db8151dd: In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. The exposed data could not be attributed to an owner and appears to be related to a CRM which aggregated personal information and customer interactions. The data was provided to HIBP by dehashed.com.Compromised data: Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles